<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
How to
The Barkly Team
May 2017

Data vs. Defeatism: 4 Keys to Stronger Security with AlienVault’s Javvad Malik

Security advocate and analyst Javvad Malik explains how organizations can get more value from their security technology without driving up complexity and costs.

At Barkly, we've been talking with our customers about the importance of a holistic approach to their defensive strategy, particularly with the growth and increased virulence of ransomware. It's inspired us to launch Barkly Fireside Chats, a series of conversations with leaders in the security market. The goal is to provide ideas on how organizations of all sizes can develop a more effective and balanced plan to improve their protection.

Key #1: Make informed decisions instead of assumptions

Jack Danahy

Jack Danahy

CTO and co-founder of Barkly

I’m glad to be spending time today talking with Javvad Malik, a highly active and popular security advocate at AlienVault. We reached out to Javvad because we’re hearing from our customers and partners that the AlienVault platform is allowing them to integrate more types of security products into their environments. As we learn about these teams’ efforts to balance their investments in security, the cost and complexity of management is a frequent source of friction, so we wanted to talk with Javvad about the ways he is seeing AlienVault users and partners take advantage of these more holistic security management approaches.

Javvad, in the early days of Security and Incident Event Management (SIEM) platforms, the implementations were typically fairly complex, with deployment and management requiring a pretty diverse set of skills. I recognize the value that AlienVault is bringing to companies who are managing security with smaller teams or fewer resources. How did you guys come up with the approach that helps them to reduce that complexity, and how do you make your Unified Security Management (USM) approach work for these companies who need to get it done more efficiently?
Javvad Malik

Javvad Malik

Security Advocate and Analyst at AlienVault

I think you're absolutely spot on in that traditional SIEMs were very cumbersome and you needed a lot of effort and expertise to deploy and then maintain them. So, to address exactly this problem, AlienVault looked at it and said “The SIEM itself is good technology, but perhaps the SIEM on its own is not enough.”

What you're actually expecting people to do is to get the SIEM in place and then integrate it with other solutions that they’ve already purchased so that they get more value out of the combined outputs, and can know more quickly what they are supposed to do with the alerts that are coming out of the SIEM.

So what we went about doing was to take base products that are needed for threat detection and response — this includes scanning, asset discovery, intrusion detection, behavioral analysis, and threat intelligence — and we combined that all together into the SIEM. So everything's pre-bundled, pre-made for you. It's like buying a frozen meal that will make me look a Michelin-starred chef. All I need to do is pop it in the oven and 15 minutes later it's all there and everyone's really impressed. That's the value that AlienVault went for.

Jack Danahy

Jack Danahy

CTO and co-founder of Barkly

Looking at the suite — from vulnerability detection to incident response, events that occur all across their portfolio — you're giving AlienVault customers visibility across them all. But the threats, the organizations, everything, really — they're changing so much over time. How have you been supporting the customers who are adopting AlienVault? Have you seen their requirements change in the way that either they think about the various importance of the different stacks or the way that they're thinking about the problem as a whole?
Javvad Malik

Javvad Malik

Security Advocate and Analyst at AlienVault

I think what we've really given them, the element that was missing, was the foundation for them to understand exactly what their environment looks like, what kind of threats they're exposed to, and what kind of actions they should be taking when something does materialize. That's helped our customers to elevate the maturity of their security strategy and how they evolve it. So they are better positioned to actually address the threats that are more relevant to them.

For one company, denial of service (DoS) attacks might be more prevalent, and for another, they might be a more likely target for ransomware. Some might be victims of phishing, others might be driven to protect highly sensitive data.

Before they had access to the AlienVault context, they had all of this data, but assigning its importance was a bit arbitrary and could be fickle. They were relying on a lot of assumptions. We allow them to gather the right data and make better, more informed decisions that dictate how they invest in technology and additional security going forward.

Jack Danahy

Jack Danahy

CTO and co-founder of Barkly

So, as you're giving them more insight into the specific kinds of events that they're seeing, and as a result, they don't have to spread all of their security investments out like peanut butter: super thinly on everything. They can focus on areas that are most germane to the threats and incidents they're actually seeing.

Ordinarily, when I think about the best uses people put that type of monitoring information to, it really isn't just driving dwell time way down, it's the ability to know, super quickly, that something is either wrong or about to go wrong and giving them the opportunity to interdict something that's going to become a problem later.

We know that some of the attacks are damaging them very quickly, right? Ransomware is a great example. How you do see customers thinking about that problem, and how are they using AlienVault to get around it? Do they require some kind of interrupt or alert to get them moving?

Javvad Malik

Javvad Malik

Security Advocate and Analyst at AlienVault

I think from that perspective what we're seeing a lot of is that organizations know they can't rely only on one point of detection or one point of protection. It's about having the right capabilities at the right points that can give you that high-confidence alert very quickly.

"Organizations know they can't rely on only one point of detection or one point of protection."

Tweet this

It's very easy to have something, say on the network, that fires a lot of alerts to you, but if you then have to go through and get rid of all the false positives, it all becomes counter-productive. The idea is to better understand your critical monitoring systems, like host IDS and maybe your network IDS. You know your critical systems and you're correlating the events you get from them. They can combine that with a threat intelligence feed that's constantly being updated, and they are looking at strong indicators of compromise.

Putting it all together gives you a much better chance of capturing the breadth of the attacks that are out there. If you’re only focusing on how ransomware works today, tomorrow it's going to mutate. It's going to evolve. It will come at a different angle and you are going to have to update everything again. So it's about having the right set of controls at the right places to give you the right visibility. That visibility has to be on their premises, and — as we're seeing more and more — in the cloud, as well.

Key #2: Stay on top of attack trends

WannaCry-ransom-screen.png

The WannaCry ransomware outbreak can be tied to a larger trend of attacks targeting open SMB and RDP ports.

Jack Danahy

Jack Danahy

CTO and co-founder of Barkly

As you're watching organizations work with AlienVault, are you seeing any trends in terms of the attacks they're facing, like advancements in ransomware or credential stealers? Are you finding there are more attacks or more sophisticated attacks in the AlienVault customer base or in the market as a whole?
Javvad Malik

Javvad Malik

Security Advocate and Analyst at AlienVault

There are a few trends that are emerging at the same time. To understand the trends, you need to understand where the attacks are coming from and what they're doing. So on one hand, you've got the growing maturity of the cybercriminal element (people don't like the term “cyber” but I use it). Ransomware attacks have become very profitable for them, and now you've got this whole cottage industry spawned by that. That's why ransomware is a very common technique and it's overtaking a lot of the other methods the criminals used in the past.

Then you have the activist-type attacks against a company. And you still have the theft and leakage of data. So we're seeing several trends develop, but a lot of it is industry-specific or data-specific. That said, ransomware and general financial crime continues to be one of the biggest threats that crosses all industries.

Jack Danahy

Jack Danahy

CTO and co-founder of Barkly

So when you are talking about the threats that people are seeing, I’m guessing that some of that is coming from all the work you guys are doing in the threat community. You've got the Open Threat Exchange (OTX) where the community is supplying information to you. And I'm assuming that this is a main way for your customers to share information and for AlienVault to broaden its thoughtfulness about the coverage and the attacks that they are seeing.

Are you seeing requests from your customers to integrate other kinds of defensive technologies? Are they asking for AlienVault to become the central hub for non-AlienVault technologies, like backup and recovery, system update, or other protections that are orthogonal to the traditional inputs to SIEM or USM?

Javvad Malik

Javvad Malik

Security Advocate and Analyst at AlienVault

Yes and no. It really depends, because a lot of our customers are of a size where they're quite happy with kind of the capabilities they have. I think what we're seeing more than requests for more functionality is requests for ways of integrating with other technologies that they've already purchased.

We’re moving to address this. At RSA, we announced what we call AlienApps, which is an open platform where other vendors can share their data, so AlienVault customers can get all the data coming into one place. That's something we're seeing more and more: Partners interested in writing apps for customers that they can get that integrated experience.
Jack Danahy

Jack Danahy

CTO and co-founder of Barkly

I can see that. What kind of capabilities does AlienApps give to the partner vendors?
Javvad Malik

Javvad Malik

Security Advocate and Analyst at AlienVault

It's mainly about data extraction. They can do two-way data correlation, pulling data into AlienVault to do more advanced correlations or creating their own dashboards.

In terms of more advanced orchestration or incident response in an automated manner, you've got capabilities to do things like quarantining. In that example, they can configure the system so that when a certain alarm triggers in the SIEM, they can take that machine off the network, reimage it, or rebuild it from a new image.

Key #3: Find the right balance of prevention and response

well-balanced-security.jpg

Jack Danahy

Jack Danahy

CTO and co-founder of Barkly

So, we did a survey of the gang on Spiceworks to ask them about how they view their investments in security. We were trying to figure out how they are thinking about the balance of their investments. One of the things that was interesting was that a majority of them gave their organizations a failing grade in terms of their ability to prevent breaches, but they felt great about their ability to recover.

In your experience, why do you think that trend exists? Why do you think that these customers are much more comfortable with cleaning up after a mess than they are with trying to stop the mess in the first place?

Javvad Malik

Javvad Malik

Security Advocate and Analyst at AlienVault

I love the Spiceworks crowd because they're always an opinionated bunch and they don't mince their words. So it's an interesting thing. I think it's something that warrants more discussion because a survey doesn't always show the full depth of the conversation that goes on.

From our perspective, it's not that companies or individuals don't trust their prevention technologies or processes they have in place. The fact is that it's been tried and tested, and they know that it's not gonna work 100% of the time. Things will get through. Whether it’s a technical attack, an insider, or a user’s error, everyone's experienced them at some point or another. And because of the nature of a lot of technology, it's a lot easier to recover than it was 10 or 15 years ago. Their backups are quicker, they can re-image systems more easily, and they can recover some things from the cloud. We see a lot of people favoring that approach.

And in some cases, it really is just practical. I was reading last year about a university in England that's been repeatedly attacked. They got hit with ransomware 21 times in one year. And the writer was asking, “How can you fall for that 21 times?” And their response was pretty reasonable. They said, “It's just a lot easier for us to just wipe the system, rebuild it overnight, and start from scratch again." For them, that was a better solution. It was more cost-effective and easier to implement than actually trying to prevent the ransomware getting in and teaching all of their students not to click on links and attachments.

So I think it's 50/50. Half believe that infection is going to happen no matter what, and the others are just thinking about business convenience.

Jack Danahy

Jack Danahy

CTO and co-founder of Barkly

I wonder if they had known in advance they were going to have to recover from ransomware 21 times if that would have changed their priorities. And if anyone had considered that their students will go off into the real world not having learned that they need to be more careful. Do they know that when those students are working in London’s financial district or they're off in a doctor's practice someplace, that this same kind of thing is going to have seriously negative effects on an organization that can't simply restore things very quickly?

I can see why it may make sense tactically to focus on recovery, because sometimes it's cheaper just to shrug and clean up. But looking forward, it's always a wonder to me that the can just keeps getting kicked down the road. Not that anyone would expect to see anything like bullet-proof protection, but it looks like the security industry has spent so much time talking about how "no security is 100%" that they’ve completely convinced people that infections are inevitable and the most important security element is the response plan.

This gets ultimately translated into a very dangerous prioritization: “You're going to have respond to some events anyway, so why bother trying very hard to stop things upfront?" If we did this in healthcare, people would stop worrying about vaccines or preventive medicine, they’d just do their best to treat diseases that may have been avoided in the first place.

Javvad Malik

Javvad Malik

Security Advocate and Analyst at AlienVault

I suppose one of the analogies that I really like is the boxing analogy. You can't always completely avoid getting hit, but you know enough to roll with the punches so that you minimize the impact and you can dish out a few punches yourself. It's about finding that balance.

"Security isn't about just standing there and taking all the punches because you're convinced you're going to get hit, anyway. That's a defeatist mentality we have to avoid."

Tweet this 

There is a delicate balance that will vary from company to company. But I completely agree with your point that we should look from a more strategic perspective, especially when it comes to creating those behaviors within people, whether it be students or employees, because that will just make life a lot easier. Without that perspective, you're just feeding into a vicious cycle.

Key #4: Stay positive and leverage the security community

Jack Danahy

Jack Danahy

CTO and co-founder of Barkly

Right on. I'd also like to ask about the tone of AlienVault’s voice in the market, if you don't mind talking about it for a second.

Security is full of aggressive and sometimes negative imagery, and it is one of few areas of IT investment that is dominated by fear, and not by opportunity. And then there’s AlienVault, a friendly-looking company taking a more positive view. How have you seen this develop, and do you think it’s the technology that makes it possible, or is it something else?

Javvad Malik

Javvad Malik

Security Advocate and Analyst at AlienVault

I think, first and foremost, you have to have a product that actually does what you hope it sets out to do, something that you're confident in and you're happy to promote and speak about. Once you have that, it becomes a lot easier when you have the right team in place and they have genuine enthusiasm.

We're very fortunate, we have a really enthusiastic bunch of people working here. Everyone's really positive. And like anything, every now and then something might happen that's not really part of the plan, but because everyone believes in the product and they're passionate about it, they go about it with a smile on their face and they'll try to make things right. And I think the company is just such a strong believer in being positive about things. There's no need to needlessly scare people or bash others and peddle fright when it's a real problem. If you've got a real solution, then you should be able to go about it in a positive way.

Jack Danahy

Jack Danahy

CTO and co-founder of Barkly

 

We’ve had a great discussion, but here’s a closing question: You guys, while you’re solving a bunch of problems for people with the suite, you’re also watching and helping teams who are wrestling with a variety of challenges. My guess is, particularly for someone like you who writes and communicates a lot, you need to get people to feel that they can make real progress and that they shouldn’t be intimidated by the whole process of doing security. If you had to give the audience one tip to make their security better and less daunting, aside from the tip that they really should pick up AlienVault because it's pretty awesome, what would you tell them?
Javvad Malik

Javvad Malik

Security Advocate and Analyst at AlienVault

Wow. One tip that really nails it. I think the best tip I can give is to leverage the security community. That might include security professionals with whom you work directly or indirectly, or other security professionals you might meet through online forums like Spiceworks. It may be someone who's part of your threat sharing network.

"The best tip I can give is to leverage the security community."

Tweet this 

I think that's where you can really get the most benefit in terms of knowledge sharing — knowledge about the tools, knowledge about the threats people are dealing with — and share best practices on how to defend ourselves. Because that's really where I think we could do better, even though we're doing pretty well. I think we can all move forward much more quickly if we unify as an industry and work more together.

For more information on AlienVault, visit https://www.alienvault.com/ 

Check out the previous posts in the series:

Stay tuned for more conversations in our Fireside Chat series by subscribing to the Barkly blog.

The Barkly Team

The Barkly Team

Providing the latest security alerts and updates with context that makes them useful.

blocks-attack-grey-circle.svg

Close the gaps in your security

{field_types={cta_id=text, icon=image, header=text, body=text}, custom_widget_id=5173925579, starting_html=, tag=custom_widget, type=custom_widget, widget_name=Blog Promo - Btm of Post, ending_html=}

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.